CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-27 18:33:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

change reference from bro to zeek

Browse Source
This commit is contained in:
m0duspwnens
2020-07-17 14:41:44 -04:00
parent 74f6f2abee
commit e3efaee864
15 changed files with 60 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/maps/so-status.map.jinja
View File

@@ -33,7 +33,7 @@
{% endif %}
{% if role in ['heavynode', 'standalone'] %}
{{ append_containers('static', 'broversion', 'SURICATA') }}
{{ append_containers('static', 'zeekversion', 'SURICATA') }}
{% endif %}
{% if role == 'searchnode' %}
@@ -41,5 +41,5 @@
{% endif %}
{% if role == 'sensor' %}
{{ append_containers('static', 'broversion', 'SURICATA') }}
{{ append_containers('static', 'zeekversion', 'SURICATA') }}
{% endif %}

14
salt/common/tools/sbin/so-bro-logs
View File

@@ -1,17 +1,17 @@
#!/bin/bash
local_salt_dir=/opt/so/saltstack/local
bro_logs_enabled() {
zeek_logs_enabled() {
echo "brologs:" > $local_salt_dir/pillar/brologs.sls
echo " enabled:" >> $local_salt_dir/pillar/brologs.sls
echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
for BLOG in ${BLOGS[@]}; do
echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
done
}
whiptail_manager_adv_service_brologs() {
whiptail_manager_adv_service_zeeklogs() {
BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
"conn" "Connection Logging" ON \
@@ -54,5 +54,5 @@ whiptail_manager_adv_service_brologs() {
"x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
}
whiptail_manager_adv_service_brologs
bro_logs_enabled
whiptail_manager_adv_service_zeeklogs
zeek_logs_enabled

6
salt/filebeat/etc/filebeat.yml
View File

@@ -6,7 +6,7 @@
{%- set HOSTNAME = salt['grains.get']('host', '') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh', '0') %}
{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%}
@@ -100,8 +100,8 @@ filebeat.inputs:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
{%- if BROVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
{%- if ZEEKVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('zeeklogs:enabled', '') %}
- type: log
paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log

2
salt/suricata/init.sls
View File

@@ -14,7 +14,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set BROVER = salt['pillar.get']('static:broversion', '') %}
{% set ZEEKVER = salt['pillar.get']('static:zeekversion', '') %}
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('static:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %}

2
salt/suricata/suricata_config.map.jinja
View File

@@ -44,7 +44,7 @@ HOME_NET: "[{{salt['pillar.get']('static:hnmanager', '')}}]"
{% endfor %}
{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
{% if salt['pillar.get']('static:broversion', 'ZEEK') == 'SURICATA' %}
{% if salt['pillar.get']('static:zeekversion', 'ZEEK') == 'SURICATA' %}
{% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{% endif %}

10
salt/top.sls
View File

@@ -1,4 +1,4 @@
{%- set BROVER = salt['pillar.get']('static:broversion', '') -%}
{%- set ZEEKVER = salt['pillar.get']('static:zeekversion', '') -%}
{%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%}
{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%}
@@ -48,7 +48,7 @@ base:
- pcap
- suricata
- healthcheck
{%- if BROVER != 'SURICATA' %}
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
- wazuh
@@ -86,7 +86,7 @@ base:
- kibana
- pcap
- suricata
{%- if BROVER != 'SURICATA' %}
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
{%- if STRELKA %}
@@ -188,7 +188,7 @@ base:
- kibana
- pcap
- suricata
{%- if BROVER != 'SURICATA' %}
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
{%- if STRELKA %}
@@ -347,7 +347,7 @@ base:
{%- endif %}
- pcap
- suricata
{%- if BROVER != 'SURICATA' %}
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
- filebeat

2
salt/zeek/files/node.cfg
View File

@@ -38,7 +38,7 @@ af_packet_fanout_id=23
af_packet_fanout_mode=AF_Packet::FANOUT_HASH
af_packet_buffer_size={{ salt['pillar.get']('sensor:zeek_buffer', 128*1024*1024) }}
{%- else %}
[brosa]
[zeeksa]
type=standalone
host=localhost
interface={{ interface }}